Permission denied (publickey,keyboard-interactive).
kumaar...@gmail.com
configured with openssl-0.98e,openssh-4.5P1.(ALL from source file not
rpm package).
for eg) say
ssh -l hi 192.16.146.78
gives me this error
Permission denied (publickey,keyboard-interactive).
can any one provide a solution to this problem.
Volker Gruenewald
It is always a good idea to start a second sshd on the server
of course in Debugmode on an other port, not as daemon, like
sshd -D -p22000 -d (-d -d as much as you like)
then do a ssh -v -p22000 on the client
now there should be enough Information to splve the problem.
regards
Volker
<kumaar...@gmail.com> schrieb im Newsbeitrag
news:1178823450....@y80g2000hsf.googlegroups.com...
kumaar...@gmail.com
Thanks for your help.
I have attached here with the logs (degug mode).
I am not able to fix the problem.
Kindly help to solve this problem.
bash-3.00# /usr/sbin/sshd -D -p19879 -ddd
debug2: load_server_config: filename /usr/etc/sshd_config
debug2: load_server_config: done config len = 281
debug2: parse_server_config: config /usr/etc/sshd_config len 281
debug3: /usr/etc/sshd_config:22 setting HostKey /usr/etc/
ssh_host_rsa_key
debug3: /usr/etc/sshd_config:23 setting HostKey /usr/etc/
ssh_host_dsa_key
debug3: /usr/etc/sshd_config:57 setting PasswordAuthentication no
debug3: /usr/etc/sshd_config:83 setting UsePAM yes
debug3: /usr/etc/sshd_config:95 setting UsePrivilegeSeparation no
debug3: /usr/etc/sshd_config:109 setting Subsystem sftp /usr/libexec/
sftp-server
debug1: sshd version OpenSSH_4.5p1
debug3: Not a RSA1 key file /usr/etc/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug3: Not a RSA1 key file /usr/etc/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
Disabling protocol version 1. Could not load host key
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-D'
debug1: rexec_argv[2]='-p19879'
debug1: rexec_argv[3]='-ddd'
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 19879 on 0.0.0.0.
Server listening on 0.0.0.0 port 19879.
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 19879 on ::.
Bind to port 19879 on :: failed: Address already in use.
debug1: fd 4 clearing O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 7 config len 281
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
debug1: inetd sockets after dupping: 3, 3
Connection from 172.16.146.210 port 32847
debug1: Client protocol version 2.0; client software version
OpenSSH_4.5
debug1: match: OpenSSH_4.5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.5
debug2: fd 3 setting O_NONBLOCK
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-
hellman-g
roup-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-
sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-
cbc,arcfour1
28,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-
c...@lysator.liu.se,aes128-c
tr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-
cbc,arcfour1
28,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-
c...@lysator.liu.se,aes128-c
tr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-
ripemd160@open
ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-
ripemd160@open
ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zl...@openssh.com
debug2: kex_parse_kexinit: none,zl...@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-
hellman-g
roup-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-
sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-
cbc,arcfour1
28,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-
c...@lysator.liu.se,aes128-c
tr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-
cbc,arcfour1
28,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-
c...@lysator.liu.se,aes128-c
tr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-
ripemd160@open
ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-
ripemd160@open
ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zl...@openssh.com,zlib
debug2: kex_parse_kexinit: none,zl...@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug2: dh_gen_key: priv key bits set: 130/256
debug2: bits set: 509/1024
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug2: bits set: 497/1024
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user ji service ssh-connection method
none
debug1: attempt 0 failures 0
debug3: Trying to reverse map address 172.16.146.210.
debug2: parse_server_config: config reprocess config len 281
debug3: AIX/loginrestrictions returned 0 msg (none)
debug2: input_userauth_request: setting up authctxt for ji
debug1: PAM: initializing for "ji"
debug1: PAM: setting PAM_RHOST to "csm100.pam.com"
debug2: input_userauth_request: try method none
Failed none for ji from 172.16.146.210 port 32847 ssh2
debug1: userauth-request for user ji service ssh-connection method
publickey
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method publickey
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 204/0 (e=0/0)
debug1: trying public key file /home/ji/.ssh/authorized_keys
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 204/0 (e=0/0)
debug1: trying public key file /home/ji/.ssh/authorized_keys2
debug1: restore_uid: 0/0
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa
Failed publickey for ji from 172.16.146.210 port 32847 ssh2
debug1: userauth-request for user ji service ssh-connection method
keyboard-inte
ractive
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=ji devs=
debug1: kbdint_alloc: devices 'pam'
debug2: auth2_challenge_start: devices pam
debug2: kbdint_next_device: devices <empty>
debug1: auth2_challenge_start: trying authentication method 'pam'
debug3: PAM: sshpam_init_ctx entering
debug3: PAM: sshpam_query entering
debug3: ssh_msg_recv entering
debug3: PAM: sshpam_thread_conv entering, 1 messages
debug3: ssh_msg_send: type 1
debug3: ssh_msg_recv entering
Postponed keyboard-interactive for ji from 172.16.146.210 port 32847
ssh2
debug2: PAM: sshpam_respond entering, 1 responses
debug3: ssh_msg_send: type 6
debug3: PAM: sshpam_query entering
debug3: ssh_msg_recv entering
debug1: do_pam_account: called
debug3: PAM: do_pam_account pam_acct_mgmt = 17 (User account has
expired)
debug3: ssh_msg_send: type 17
debug3: PAM: User account has expired
PAM: User account has expired for ji from csm100.pam.com
debug2: auth2_challenge_start: devices <empty>
debug3: PAM: sshpam_free_ctx entering
debug3: PAM: sshpam_thread_cleanup entering
Failed keyboard-interactive/pam for ji from 172.16.146.210 port 32847
ssh2
debug3: AIX/setauthdb set registry 'files'
debug3: aix_restoreauthdb: restoring old registry ''
debug1: userauth-request for user ji service ssh-connection method
keyboard-inte
ractive
debug1: attempt 3 failures 3
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=ji devs=
debug1: kbdint_alloc: devices 'pam'
debug2: auth2_challenge_start: devices pam
debug2: kbdint_next_device: devices <empty>
debug1: auth2_challenge_start: trying authentication method 'pam'
debug3: PAM: sshpam_init_ctx entering
Failed keyboard-interactive for ji from 172.16.146.210 port 32847 ssh2
debug3: AIX/setauthdb set registry 'files'
debug3: aix_restoreauthdb: restoring old registry ''
debug1: userauth-request for user ji service ssh-connection method
keyboard-inte
ractive
debug1: attempt 4 failures 4
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=ji devs=
debug1: kbdint_alloc: devices 'pam'
debug2: auth2_challenge_start: devices pam
debug2: kbdint_next_device: devices <empty>
debug1: auth2_challenge_start: trying authentication method 'pam'
debug3: PAM: sshpam_init_ctx entering
Failed keyboard-interactive for ji from 172.16.146.210 port 32847 ssh2
debug3: AIX/setauthdb set registry 'files'
debug3: aix_restoreauthdb: restoring old registry ''
Connection closed by 172.16.146.210
debug1: do_cleanup
bash-3.00#
Volker Gruenewald
> usr/etc/sshd_config:57 setting PasswordAuthentication no
looks a little strange.
How do you want to login?
With a public key?
If you want to login with password set it to "yes"
Try this at first
If you use PAM, what kind of Authentication do you want to use?
> debug3: PAM: do_pam_account pam_acct_mgmt = 17 (User account has
> expired)
> debug3: ssh_msg_send: type 17
> debug3: PAM: User account has expired
> PAM: User account has expired for ji from csm100.pam.com
seems like your Account has expired??
hth
regards
volker
<kumaar...@gmail.com> schrieb im Newsbeitrag
news:1178905205....@o5g2000hsb.googlegroups.com...
kumaar...@gmail.com
I want to login with a public key.
I have a PAM Agent software installed so I have to set
PaaswordAuthentication to "yes"
Authentication should be directed to the PAM Agent software.
I want to use SSH,SFTP and SCP authentication with my configuration.
I need some guidance to configure PAM with Openssh (from source not as
RPM Packages).
I have configured gcc, then zlib 1.2.3,open ssl 0.98e and then open
ssh 4.5p1 with my setup.
please provide me the steps in detail how to configure openssh from
source (how to configure with what option inorder to work with PAM) in
a much detail way.
Thanks,
Kumar
Volker Gruenewald
maybe you should try
comp.security.ssh
there should be better help with ssh and PAM.
regards
volker
<kumaar...@gmail.com> schrieb im Newsbeitrag
news:1178909846.6...@h2g2000hsg.googlegroups.com...
Frank Fegert
> I want to login with a public key.
> I have a PAM Agent software installed so I have to set
> PaaswordAuthentication to "yes"
> Authentication should be directed to the PAM Agent software.
I'm a bit rusty on SSH and PAM, but where do you set Password-
Authentication? If it's in sshd_config, why set it to 'yes',
if you want keyed authentification?
I'd do a step by step debug process to isolate the problem:
- get your account setup correctly, i.e. make sure it's not
locked and you can actually login. Check you can login from
remote, e.g. via telnet.
- get SSH with passwords working without PAM.
- get SSH with keys working without PAM.
- get PAM involved.
> I want to use SSH,SFTP and SCP authentication with my configuration.
>
> I need some guidance to configure PAM with Openssh (from source not as
> RPM Packages).
> I have configured gcc, then zlib 1.2.3,open ssl 0.98e and then open
> ssh 4.5p1 with my setup.
> please provide me the steps in detail how to configure openssh from
> source (how to configure with what option inorder to work with PAM) in
> a much detail way.
Honestly, you're providing very little information to get
any real help here. I'd suggest you start on reading how
to setup SSH here: http://www.openssh.org
Regards,
Frank
kumaar...@gmail.com
I will refer Openssh.org